CVE-2024-49508: 
Adobe InDesign vulnerability analysis and mitigation

CVE-2024-49508 is a Heap-based Buffer Overflow vulnerability affecting Adobe InDesign Desktop versions ID18.5.2, ID19.5 and earlier. The vulnerability was discovered and disclosed in November 2024. The affected systems include both Windows and macOS versions of Adobe InDesign (NVD, ASEC).

The vulnerability is classified as a Heap-based Buffer Overflow (CWE-122) with a CVSS v3.1 Base Score of 7.8 (HIGH). The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring No privileges (PR:N) and User interaction (UI:R). The scope is Unchanged (S:U) with High impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H) (NVD).

If successfully exploited, this vulnerability could result in arbitrary code execution in the context of the current user. The severity of the impact depends on the user's privileges - users with administrative rights could be more severely impacted, potentially allowing attackers to install programs, modify or delete data, or create new accounts with full user rights (CIS).

Adobe has released patches to address this vulnerability. Users are advised to update to Adobe InDesign version ID20.0 for both Windows and macOS platforms, or to version ID18.5.3 depending on their current version. It is recommended to apply these updates immediately after appropriate testing (ASEC).